Skip to content

feat(tcp,conntrack): drop DNAT/SNAT conntrack entries#44

Draft
kr3v wants to merge 3 commits into
live-4.2from
istio-netlink-conntrack-v2
Draft

feat(tcp,conntrack): drop DNAT/SNAT conntrack entries#44
kr3v wants to merge 3 commits into
live-4.2from
istio-netlink-conntrack-v2

Conversation

@kr3v
Copy link
Copy Markdown

@kr3v kr3v commented May 14, 2026
edited by kimchi-review Bot
Loading

Kimchi Summary

What changed

Skip netfilter conntrack entries that have source or destination NAT flags during checkpoint dump. These entries cannot be faithfully restored, so they are now excluded from the image instead of being saved and incorrectly recreated as non-NAT flows.

Why

The kernel strips IPS_SRC_NAT and IPS_DST_NAT status flags when conntrack entries are restored. As a result, previously NATed connections would be resurrected as plain non-NAT entries, breaking those connections rather than preserving them.

Key changes

  • criu/net.c: Added is_nf_dsnat() helper to parse NFNETLINK conntrack messages and detect IPS_SRC_NAT or IPS_DST_NAT status flags.
  • criu/net.c: Modified dump_one_nf() to call is_nf_dsnat() and skip matching entries, emitting a warning via pr_warn() instead of writing them to the checkpoint image.
  • Added <arpa/inet.h> and <linux/netfilter/nf_conntrack_common.h> includes for ntohl() and NAT flag definitions.

Impact

  • Connections involving NAT will not be checkpointed or restored; they must be re-established after restore.
  • Eliminates restoration of corrupted conntrack state that would otherwise appear as non-NAT traffic.

@kimchi-review
Copy link
Copy Markdown

kimchi-review Bot commented May 14, 2026
edited
Loading

Kimchi Code Review

Property Value
Commit c9e3532
Author @kr3v
Files changed 0
Review status Completed
Comments 4 (2 info, 2 warning)
Duration 186s

Summary

📊 Review Score: 80/100 (overall code quality — 0 lowest, 100 highest)
⏱️ Estimated effort to review: 3/5 (1 = trivial, 5 = very complex)

🧪 Tests: yes — A dedicated ZDTM test socket-tcp-ipt-redirect-conntrack is added to verify conntrack behavior under iptables REDIRECT (DNAT). The test exercises the pre/post migration data path and validates that TCP connections survive C/R in the presence of conntrack NAT rules. The Makefile is updated to include the new test.

📝 Found 4 issue(s). See inline comments for details.

What to expect

Kimchi will analyze the changes in this pull request and post:

  • A summary of the overall changes
  • Inline comments on specific lines with findings categorized by issue type

The review typically completes within a few minutes. This comment will be updated once the review is ready.

Interact with Kimchi
  • @kimchi review — re-trigger a full review on the latest commit
  • @kimchi summary — regenerate the PR summary
  • @kimchi ignore — skip this PR (no review will be posted)
  • Reply to any inline comment to ask follow-up questions or request clarification
Configuration

Reviews are configured by your organization admin.
Review instructions, excluded directories, and severity thresholds can be adjusted per repository in the Kimchi dashboard.

Powered by Kimchi — AI-powered code review by CAST AI

kimchi-review[bot]

This comment was marked as outdated.

Sign in to view

@kr3v kr3v force-pushed the istio-netlink-conntrack-v2 branch from c9e3532 to 793813c Compare May 15, 2026 12:56
kr3v added 2 commits May 17, 2026 18:58
@kr3v
Update logging for NAT conntrack entry skipping
8b80a19
@kr3v
Simplify status checks in net.c
64a7027 
Remove redundant checks for tuple reply and original tuple.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kimchi-review kimchi-review[bot] kimchi-review[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kr3v